What Happened
StepSecurity researchers uncovered a malware campaign targeting Python development environments and AI-powered security tools. The malware, named Hades, compromised the C++ library ensmallen and used adversarial prompt injection to trick AI security agents into reporting clean scans while the malware spread through developer systems.
The attack began with a supply chain compromise, using the Bun toolkit for payload execution, and established command-and-control through three independent channels on public GitHub infrastructure. This incident is notable because the malware didn't just evade detection—it manipulated AI security tools to falsely confirm its legitimacy.
Timeline
Initial Compromise: Attackers compromised the ensmallen C++ library, a dependency widely used in Python development.
Payload Delivery: When developers pulled the compromised package, Hades deployed multi-layer payloads using the Bun toolkit, a legitimate JavaScript runtime often overlooked by security tools.
AI Manipulation: As AI-powered security analyzers scanned the code, Hades injected adversarial prompts that led these tools to return false negatives.
C2 Establishment: The malware set up three separate command-and-control channels using public GitHub infrastructure, blending its traffic with normal developer workflows.
Lateral Movement: From compromised developer machines, Hades targeted the Python Package Index (PyPI), attempting to inject malicious packages into the broader supply chain.
Which Controls Failed or Were Missing
Supply Chain Verification (Failed): The team lacked cryptographic verification of package integrity. When ensmallen was compromised, no automated process detected the unauthorized modification before it entered the build pipeline.
AI Security Tool Validation (Missing): The organization deployed AI-powered security analyzers without adversarial testing. These tools lacked mechanisms to detect manipulation through prompt injection.
Runtime Monitoring (Insufficient): Traditional endpoint detection focused on known malware signatures. The use of Bun—a legitimate toolkit—for payload execution bypassed signature-based detection.
Network Segmentation (Weak): Developer workstations had network access to both internal systems and external package repositories. Once Hades compromised a developer machine, it could attempt PyPI uploads without additional authorization.
AI Model Security Controls (Absent): The AI security agents operated without input validation, output verification, or behavioral monitoring. When Hades injected adversarial prompts, nothing prevented the manipulation or logged the anomalous interaction.
What the Standards Require
NIST 800-53 Rev 5 SR-3 (Supply Chain Protection) requires verifying the integrity of software components throughout the supply chain. Implement cryptographic verification of package signatures. Your build pipeline should reject any package that can't present a valid signature chain back to the maintainer's signing key.
ISO/IEC 27001:2022 Annex A.8.31 (Separation of Development, Test and Production Environments) demands logical and physical separation between development and production systems. Developer workstations shouldn't have direct write access to production package repositories. Implement a promotion process with security gates between development pulls and production deployments.
NIST CSF v2.0 GV.SC-02 (Supply Chain Risk Management) requires continuous monitoring of supply chain risks, including verification mechanisms for third-party components. Automate scanning of every dependency update before it enters your environment.
OWASP ASVS v4.0.3 Section 5.5 (Output Encoding and Injection Prevention) applies to AI systems as well as traditional applications. Treat AI security tool inputs as untrusted data. Validate prompts, sanitize outputs, and monitor for manipulation attempts.
Lessons and Action Items for Your Team
Implement cryptographic package verification immediately. Configure your package managers to require valid signatures. For PyPI, use pip's --require-hashes flag and maintain a hash manifest for approved dependencies. For npm, enable signature verification through npm's built-in verification. This stops compromised packages at ingestion.
Treat AI security tools as untrusted components. Apply the same security rigor to AI analyzers as any other system processing external input. Implement input validation on prompts, compare AI analysis results against rule-based scanners, and log every AI interaction for anomaly detection. Discrepancies between AI tool reports and other warnings should be investigated.
Segment developer access to production systems. Create a promotion pipeline where code moves from development to staging to production with security gates at each transition. Developers should not have direct write access to production package repositories. Use a service account with MFA and approval workflows for production deployments.
Monitor for legitimate tools used maliciously. Hades used Bun because it's a legitimate toolkit that security tools often ignore. Build behavioral baselines for your development tools. If Bun starts making unusual network connections to GitHub, your monitoring should flag it—even though Bun itself is legitimate.
Test your AI security tools adversarially. Before deploying an AI analyzer in production, test it with adversarial inputs. If you can craft a prompt that makes it ignore obvious malware, the tool needs hardening. Conduct regular red team exercises specifically targeting your AI security stack.
Establish package approval workflows. Avoid pulling dependencies directly into production. Maintain an internal mirror of approved packages, update it through a security review process, and configure your build systems to only pull from your mirror. New versions of packages like ensmallen should undergo security review before any production system sees them.
The Hades campaign shows that AI security tools are now attack targets, not just defense mechanisms. Your security architecture must account for the possibility that your AI analyzers could be compromised.
